Code Injection in yogeshojha/rengine


Reported on

Sep 30th 2021


RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code.


In the yaml configuration of reNgine, edit the extensions field of dir_file_search to make it look like this:

extensions: [";echo TEST1234"]

Then, start a scan with any scan engine that includes subdomain discovery and directory search. The subdomain scan must return valid, alive subdomains in order for the directory searching to begin. Then, watch the logs and the dirsearch usage should be printed, with TEST1234 echo'd multiple times in the logs.


An attacker can execute arbitrary commands on the system.

Suggested fix

Do not trust user controlled data and do not directly inject it into the command. You should check inputted extensions on an allowlist, and reject any which do not conform to the allow list.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Yogesh Ojha
2 years ago



Correct me if I am wrong, but shouldn't this be intentional? That is how engine configuration from YAML becomes a command-line args for the tools we are using.

Exploitability is very less likely.

I am not closing this as N/A but can you please explain how do we deliver this payload and what could be the possible fixes?

We have sent a third follow up to the yogeshojha/rengine team. We will try again in 14 days. 2 years ago
yogeshojha/rengine maintainer has acknowledged this report 2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
k0enm has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha
2 years ago


Congratulations on your bounty and I appreciate your patience.

This has been fixed.

Yogesh Ojha marked this as fixed in 1.2.0 with commit 735624 2 years ago
Yogesh Ojha has been awarded the fix bounty
to join this conversation